Overview
overview
10Static
static
1Desktop.zip
windows7-x64
1Desktop.zip
windows10-2004-x64
1babyk/babyk.exe
windows7-x64
10babyk/babyk.exe
windows10-2004-x64
10babyk/builder.exe
windows7-x64
1babyk/builder.exe
windows10-2004-x64
1babyk/decryptor.exe
windows7-x64
3babyk/decryptor.exe
windows10-2004-x64
3conti/decryptor.exe
windows7-x64
1conti/decryptor.exe
windows10-2004-x64
1conti/locker.exe
windows7-x64
7conti/locker.exe
windows10-2004-x64
7Analysis
-
max time kernel
114s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2023 13:56
Static task
static1
Behavioral task
behavioral1
Sample
Desktop.zip
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Desktop.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
babyk/babyk.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
babyk/babyk.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
babyk/builder.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
babyk/builder.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
babyk/decryptor.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
babyk/decryptor.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
conti/decryptor.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
conti/decryptor.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
conti/locker.exe
Resource
win7-20230220-en
General
-
Target
conti/locker.exe
-
Size
1.4MB
-
MD5
f9f2b0dca4ff4365b98599afb5c1e14e
-
SHA1
9cac04b31f29b81c89cfd840e160a1185768c699
-
SHA256
2b19e130390bf1a65c40a909a3dc5ce2af96d921d2bb4949724be9085e0abbe7
-
SHA512
52d586efaeea2e3350e08ce53b3b8fef63c4cd22eab757aa7d42a6534011d505ad14c39b59d70f45a17ed0035bc234fd0dffef209739a81cae8841b214d1308a
-
SSDEEP
12288:GZH7AAO2VRbDEsLC3L79iiauuxJ8QahIha4B7ByfdoiUriupSezaVm:GZH7Hc3L7yJGhIha4B1yfui8b2m
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
locker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt locker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
locker.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\lua\extensions\R3ADM3.txt locker.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\R3ADM3.txt locker.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\R3ADM3.txt locker.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\R3ADM3.txt locker.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\R3ADM3.txt locker.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\R3ADM3.txt locker.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\R3ADM3.txt locker.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\R3ADM3.txt locker.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\R3ADM3.txt locker.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\R3ADM3.txt locker.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\R3ADM3.txt locker.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\R3ADM3.txt locker.exe File created C:\Program Files\MSBuild\Microsoft\R3ADM3.txt locker.exe File created C:\Program Files\VideoLAN\VLC\locale\tl\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\R3ADM3.txt locker.exe File created C:\Program Files\Microsoft Office\root\Office16\1036\R3ADM3.txt locker.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f4\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\R3ADM3.txt locker.exe File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\R3ADM3.txt locker.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\R3ADM3.txt locker.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\R3ADM3.txt locker.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\R3ADM3.txt locker.exe File created C:\Program Files\Microsoft Office 15\ClientX64\R3ADM3.txt locker.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\R3ADM3.txt locker.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\R3ADM3.txt locker.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\R3ADM3.txt locker.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\R3ADM3.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\R3ADM3.txt locker.exe File created C:\Program Files\VideoLAN\VLC\locale\lt\R3ADM3.txt locker.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\R3ADM3.txt locker.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 868 2584 WerFault.exe locker.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
locker.exepid process 2584 locker.exe 2584 locker.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 4396 vssvc.exe Token: SeRestorePrivilege 4396 vssvc.exe Token: SeAuditPrivilege 4396 vssvc.exe Token: SeIncreaseQuotaPrivilege 736 WMIC.exe Token: SeSecurityPrivilege 736 WMIC.exe Token: SeTakeOwnershipPrivilege 736 WMIC.exe Token: SeLoadDriverPrivilege 736 WMIC.exe Token: SeSystemProfilePrivilege 736 WMIC.exe Token: SeSystemtimePrivilege 736 WMIC.exe Token: SeProfSingleProcessPrivilege 736 WMIC.exe Token: SeIncBasePriorityPrivilege 736 WMIC.exe Token: SeCreatePagefilePrivilege 736 WMIC.exe Token: SeBackupPrivilege 736 WMIC.exe Token: SeRestorePrivilege 736 WMIC.exe Token: SeShutdownPrivilege 736 WMIC.exe Token: SeDebugPrivilege 736 WMIC.exe Token: SeSystemEnvironmentPrivilege 736 WMIC.exe Token: SeRemoteShutdownPrivilege 736 WMIC.exe Token: SeUndockPrivilege 736 WMIC.exe Token: SeManageVolumePrivilege 736 WMIC.exe Token: 33 736 WMIC.exe Token: 34 736 WMIC.exe Token: 35 736 WMIC.exe Token: 36 736 WMIC.exe Token: SeIncreaseQuotaPrivilege 736 WMIC.exe Token: SeSecurityPrivilege 736 WMIC.exe Token: SeTakeOwnershipPrivilege 736 WMIC.exe Token: SeLoadDriverPrivilege 736 WMIC.exe Token: SeSystemProfilePrivilege 736 WMIC.exe Token: SeSystemtimePrivilege 736 WMIC.exe Token: SeProfSingleProcessPrivilege 736 WMIC.exe Token: SeIncBasePriorityPrivilege 736 WMIC.exe Token: SeCreatePagefilePrivilege 736 WMIC.exe Token: SeBackupPrivilege 736 WMIC.exe Token: SeRestorePrivilege 736 WMIC.exe Token: SeShutdownPrivilege 736 WMIC.exe Token: SeDebugPrivilege 736 WMIC.exe Token: SeSystemEnvironmentPrivilege 736 WMIC.exe Token: SeRemoteShutdownPrivilege 736 WMIC.exe Token: SeUndockPrivilege 736 WMIC.exe Token: SeManageVolumePrivilege 736 WMIC.exe Token: 33 736 WMIC.exe Token: 34 736 WMIC.exe Token: 35 736 WMIC.exe Token: 36 736 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
locker.execmd.exedescription pid process target process PID 2584 wrote to memory of 3508 2584 locker.exe cmd.exe PID 2584 wrote to memory of 3508 2584 locker.exe cmd.exe PID 3508 wrote to memory of 736 3508 cmd.exe WMIC.exe PID 3508 wrote to memory of 736 3508 cmd.exe WMIC.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\conti\locker.exe"C:\Users\Admin\AppData\Local\Temp\conti\locker.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{01268568-5513-4879-B5BA-55AAC12E84B7}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{01268568-5513-4879-B5BA-55AAC12E84B7}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 10682⤵
- Program crash
PID:868
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2584 -ip 25841⤵PID:2144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5c8a54401701d688fe98cdcddded2cfd7
SHA1a0edc8f3d7478982def3b3ccd68ee5deba023d00
SHA2569d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f
SHA5127e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e